2022-02-26 20:07:39 -06:00
|
|
|
import { promisify } from 'node:util';
|
2022-09-17 13:27:08 -05:00
|
|
|
import bcrypt from 'bcryptjs';
|
2023-06-01 21:34:38 -05:00
|
|
|
import cbor from 'cbor';
|
2022-09-17 13:27:08 -05:00
|
|
|
import { Inject, Injectable } from '@nestjs/common';
|
|
|
|
|
import { Endpoint } from '@/server/api/endpoint-base.js';
|
|
|
|
|
import { UserEntityService } from '@/core/entities/UserEntityService.js';
|
2022-09-20 15:33:11 -05:00
|
|
|
import type { Config } from '@/config.js';
|
2022-09-17 13:27:08 -05:00
|
|
|
import { DI } from '@/di-symbols.js';
|
|
|
|
|
import { GlobalEventService } from '@/core/GlobalEventService.js';
|
|
|
|
|
import { TwoFactorAuthenticationService } from '@/core/TwoFactorAuthenticationService.js';
|
2022-09-20 15:33:11 -05:00
|
|
|
import type { AttestationChallengesRepository, UserProfilesRepository, UserSecurityKeysRepository } from '@/models/index.js';
|
2019-07-03 06:18:07 -05:00
|
|
|
|
2019-07-04 12:00:54 -05:00
|
|
|
const cborDecodeFirst = promisify(cbor.decodeFirst) as any;
|
2019-07-03 06:18:07 -05:00
|
|
|
|
|
|
|
|
export const meta = {
|
2022-01-18 07:27:10 -06:00
|
|
|
requireCredential: true,
|
2019-07-03 06:18:07 -05:00
|
|
|
|
|
|
|
|
secure: true,
|
2022-02-18 23:05:32 -06:00
|
|
|
} as const;
|
2019-07-03 06:18:07 -05:00
|
|
|
|
2022-02-19 22:15:40 -06:00
|
|
|
export const paramDef = {
|
2022-02-18 23:05:32 -06:00
|
|
|
type: 'object',
|
|
|
|
|
properties: {
|
|
|
|
|
clientDataJSON: { type: 'string' },
|
|
|
|
|
attestationObject: { type: 'string' },
|
|
|
|
|
password: { type: 'string' },
|
|
|
|
|
challengeId: { type: 'string' },
|
2023-02-20 01:40:24 -06:00
|
|
|
name: { type: 'string', minLength: 1, maxLength: 30 },
|
2021-12-09 08:58:30 -06:00
|
|
|
},
|
2022-02-18 23:05:32 -06:00
|
|
|
required: ['clientDataJSON', 'attestationObject', 'password', 'challengeId', 'name'],
|
2022-01-18 07:27:10 -06:00
|
|
|
} as const;
|
2019-07-03 06:18:07 -05:00
|
|
|
|
2022-01-02 11:12:50 -06:00
|
|
|
// eslint-disable-next-line import/no-default-export
|
2022-09-17 13:27:08 -05:00
|
|
|
@Injectable()
|
|
|
|
|
export default class extends Endpoint<typeof meta, typeof paramDef> {
|
|
|
|
|
constructor(
|
|
|
|
|
@Inject(DI.config)
|
|
|
|
|
private config: Config,
|
2019-07-03 06:18:07 -05:00
|
|
|
|
2022-09-17 13:27:08 -05:00
|
|
|
@Inject(DI.userProfilesRepository)
|
|
|
|
|
private userProfilesRepository: UserProfilesRepository,
|
2019-07-03 06:18:07 -05:00
|
|
|
|
2022-09-17 13:27:08 -05:00
|
|
|
@Inject(DI.userSecurityKeysRepository)
|
|
|
|
|
private userSecurityKeysRepository: UserSecurityKeysRepository,
|
2019-07-03 06:18:07 -05:00
|
|
|
|
2022-09-17 13:27:08 -05:00
|
|
|
@Inject(DI.attestationChallengesRepository)
|
|
|
|
|
private attestationChallengesRepository: AttestationChallengesRepository,
|
2019-07-03 06:18:07 -05:00
|
|
|
|
2022-09-17 13:27:08 -05:00
|
|
|
private userEntityService: UserEntityService,
|
|
|
|
|
private globalEventService: GlobalEventService,
|
|
|
|
|
private twoFactorAuthenticationService: TwoFactorAuthenticationService,
|
2019-07-03 06:18:07 -05:00
|
|
|
) {
|
2022-09-17 13:27:08 -05:00
|
|
|
super(meta, paramDef, async (ps, me) => {
|
|
|
|
|
const rpIdHashReal = this.twoFactorAuthenticationService.hash(Buffer.from(this.config.hostname, 'utf-8'));
|
|
|
|
|
|
|
|
|
|
const profile = await this.userProfilesRepository.findOneByOrFail({ userId: me.id });
|
|
|
|
|
|
|
|
|
|
// Compare password
|
|
|
|
|
const same = await bcrypt.compare(ps.password, profile.password!);
|
|
|
|
|
|
|
|
|
|
if (!same) {
|
|
|
|
|
throw new Error('incorrect password');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!profile.twoFactorEnabled) {
|
|
|
|
|
throw new Error('2fa not enabled');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const clientData = JSON.parse(ps.clientDataJSON);
|
|
|
|
|
|
|
|
|
|
if (clientData.type !== 'webauthn.create') {
|
|
|
|
|
throw new Error('not a creation attestation');
|
|
|
|
|
}
|
|
|
|
|
if (clientData.origin !== this.config.scheme + '://' + this.config.host) {
|
|
|
|
|
throw new Error('origin mismatch');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const clientDataJSONHash = this.twoFactorAuthenticationService.hash(Buffer.from(ps.clientDataJSON, 'utf-8'));
|
|
|
|
|
|
|
|
|
|
const attestation = await cborDecodeFirst(ps.attestationObject);
|
|
|
|
|
|
|
|
|
|
const rpIdHash = attestation.authData.slice(0, 32);
|
|
|
|
|
if (!rpIdHashReal.equals(rpIdHash)) {
|
|
|
|
|
throw new Error('rpIdHash mismatch');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const flags = attestation.authData[32];
|
|
|
|
|
|
|
|
|
|
// eslint:disable-next-line:no-bitwise
|
|
|
|
|
if (!(flags & 1)) {
|
|
|
|
|
throw new Error('user not present');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const authData = Buffer.from(attestation.authData);
|
|
|
|
|
const credentialIdLength = authData.readUInt16BE(53);
|
|
|
|
|
const credentialId = authData.slice(55, 55 + credentialIdLength);
|
|
|
|
|
const publicKeyData = authData.slice(55 + credentialIdLength);
|
|
|
|
|
const publicKey: Map<number, any> = await cborDecodeFirst(publicKeyData);
|
|
|
|
|
if (publicKey.get(3) !== -7) {
|
|
|
|
|
throw new Error('alg mismatch');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const procedures = this.twoFactorAuthenticationService.getProcedures();
|
|
|
|
|
|
|
|
|
|
if (!(procedures as any)[attestation.fmt]) {
|
2023-07-20 17:49:39 -05:00
|
|
|
throw new Error(`unsupported fmt: ${attestation.fmt}. Supported ones: ${Object.keys(procedures)}`);
|
2022-09-17 13:27:08 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const verificationData = (procedures as any)[attestation.fmt].verify({
|
|
|
|
|
attStmt: attestation.attStmt,
|
|
|
|
|
authenticatorData: authData,
|
|
|
|
|
clientDataHash: clientDataJSONHash,
|
|
|
|
|
credentialId,
|
|
|
|
|
publicKey,
|
|
|
|
|
rpIdHash,
|
|
|
|
|
});
|
|
|
|
|
if (!verificationData.valid) throw new Error('signature invalid');
|
|
|
|
|
|
|
|
|
|
const attestationChallenge = await this.attestationChallengesRepository.findOneBy({
|
|
|
|
|
userId: me.id,
|
|
|
|
|
id: ps.challengeId,
|
|
|
|
|
registrationChallenge: true,
|
|
|
|
|
challenge: this.twoFactorAuthenticationService.hash(clientData.challenge).toString('hex'),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (!attestationChallenge) {
|
|
|
|
|
throw new Error('non-existent challenge');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
await this.attestationChallengesRepository.delete({
|
|
|
|
|
userId: me.id,
|
|
|
|
|
id: ps.challengeId,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Expired challenge (> 5min old)
|
|
|
|
|
if (
|
|
|
|
|
new Date().getTime() - attestationChallenge.createdAt.getTime() >=
|
|
|
|
|
5 * 60 * 1000
|
|
|
|
|
) {
|
|
|
|
|
throw new Error('expired challenge');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const credentialIdString = credentialId.toString('hex');
|
|
|
|
|
|
|
|
|
|
await this.userSecurityKeysRepository.insert({
|
|
|
|
|
userId: me.id,
|
|
|
|
|
id: credentialIdString,
|
|
|
|
|
lastUsed: new Date(),
|
|
|
|
|
name: ps.name,
|
|
|
|
|
publicKey: verificationData.publicKey.toString('hex'),
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Publish meUpdated event
|
|
|
|
|
this.globalEventService.publishMainStream(me.id, 'meUpdated', await this.userEntityService.pack(me.id, me, {
|
|
|
|
|
detail: true,
|
|
|
|
|
includeSecrets: true,
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
return {
|
|
|
|
|
id: credentialIdString,
|
|
|
|
|
name: ps.name,
|
|
|
|
|
};
|
|
|
|
|
});
|
2019-07-03 06:18:07 -05:00
|
|
|
}
|
2022-09-17 13:27:08 -05:00
|
|
|
}
|
